Cryptology ePrint Archive: Report 2009/205

Abstract: Consider a scenario in which an adversary, attacking a certain public key encryption scheme, gains knowledge of several ciphertexts
which underlying plaintext are meaningfully related with a given target ciphertext. This kind of
related message attack has been proved
successful against several public key encryption schemes; widely
known is the Franklin-Reiter attack to RSA with low exponent and
its subsequent improvement by Coppersmith. However, to the best of
our knowledge no formal treatment of these type of attacks has to
date been done, and as a result, it has not been rigorously studied which of the ``standard'' security notions
imply resilience to them.

We give formal definitions of several security
notions capturing the resistance to this kind of attacks. For
passive adversaries we prove that, for the case of
indistinguishability, security against related message attacks is
equivalent to standard CPA security. On the other hand,
one-wayness robust schemes in this sense can be seen as
strictly between OW-CPA and IND-CPA secure schemes.
Furthermore, we prove that the same holds for active (CCA)
adversaries.